281894 – dns/unbound: Security upgrade to 1.21.1

Bug 281894 - dns/unbound: Security upgrade to 1.21.1

Summary: dns/unbound: Security upgrade to 1.21.1

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Robert Clausecker

URL:	https://nlnetlabs.nl/news/2024/Oct/03...
Keywords:	security

Depends on:
Blocks:

Reported:	2024-10-06 12:23 UTC by Jaap Akkerhuis
Modified:	2024-10-06 16:21 UTC (History)
CC List:	2 users (show)

See Also:

Flags:	fuz: merge-quarterly?

Attachments
patch to upgrade (4.64 KB, patch) 2024-10-06 12:23 UTC, Jaap Akkerhuis	jaap: maintainer-approval+	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jaap Akkerhuis 2024-10-06 12:23:27 UTC

Created attachment 254050 [details]
patch to upgrade

A vulnerability has been discovered in Unbound when handling replies with very large RRsets that Unbound needs to perform name compression for.

Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks.

Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long.

This change should not affect normal DNS traffic.

We would like to thank Toshifumi Sakaguchi for discovering and responsibly disclosing the vulnerability.


Apart from this, This pot also includes a patch to bug fix for people using the base openSSL (See also bug #281804).

Comment 1 Robert Clausecker freebsd_committer

2024-10-06 15:26:34 UTC

Thank you.  Will process this one urgently.  I have rewritten the VuXML entry to add paragraph breaks.

Comment 2 commit-hook freebsd_committer

2024-10-06 16:17:44 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=4af9b830bfc0df17b05eee4247b637efa40b13bc

commit 4af9b830bfc0df17b05eee4247b637efa40b13bc
Author:     Jaap Akkerhuis <jaap@NLnetLabs.nl>
AuthorDate: 2024-10-05 13:30:31 +0000
Commit:     Robert Clausecker <fuz@FreeBSD.org>
CommitDate: 2024-10-06 16:16:21 +0000

    dns/unbound: Update to version 1.21.1

     - patch for users who use base OpenSSL

    PR:             281894, 281804
    Security:       2368755b-83f6-11ef-8d2e-a04a5edf46d9
    Security:       CVE-2024-8508

 dns/unbound/Makefile                                          |  2 +-
 dns/unbound/distinfo                                          |  6 +++---
 .../files/patch-smallapp_unbound-control-setup.sh.in (new)    | 11 +++++++++++
 dns/unbound/pkg-plist                                         |  2 +-
 4 files changed, 16 insertions(+), 5 deletions(-)

Comment 3 commit-hook freebsd_committer

2024-10-06 16:17:47 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7382ac2b1be7e88d833178bd9da899342293aa2f

commit 7382ac2b1be7e88d833178bd9da899342293aa2f
Author:     Robert Clausecker <fuz@FreeBSD.org>
AuthorDate: 2024-10-06 15:22:35 +0000
Commit:     Robert Clausecker <fuz@FreeBSD.org>
CommitDate: 2024-10-06 16:16:19 +0000

    security/vuxml: document unbound vulnerability

    PR:             281894
    Security:       CVE-2024-8508
    Security:       2368755b-83f6-11ef-8d2e-a04a5edf46d9

 security/vuxml/vuln/2024.xml | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

Comment 4 Robert Clausecker freebsd_committer

2024-10-06 16:21:10 UTC

Thank you for your contribution.